I see latest version of apache tomcat v 6.0.44 released. This is great news.
Thanks and Regards ------------------------------- Raghavendra Neelekani On 6 May 2015 at 18:16, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Raghavendra, > > On 5/6/15 2:19 AM, Raghavendra Nilekani wrote: > > Thanks for the information. This is useful. I feel I should take > > the latest available version and upgrade. Once the new version > > (6.0.44) with fix is available, I can upgrade once again. > > You should really make plans to upgrade to the Tomcat 8.0.x series > sooner rather than later. > > > Can I know the tentative data (month) during which we get the > > official release of the version 6.0.44 ? > > It is likely to be in the next 5-10 days, but we can't make any promises > . > > - -chris > > > On 5 May 2015 at 17:15, André Warnier <a...@ice-sa.com> wrote: > > > >> Raghavendra Nilekani wrote: > >> > >>> Hi > >>> > >>> I have an application where I currently use 6.0.20 version of > >>> Apache tomcat bundle from spring source. Now because of > >>> security vulnerabilities I have to migrate to newer latest > >>> version of Apache tomcat. I saw the latest version on Apace > >>> tomcat site is Apache Tomcat 6.0.43 where the highest CVE fixed > >>> is *CVE-2014-0227. * > >>> > >>> Now one more latest CVE *Apache Tomcat File Upload denial of > >>> service *has come. The fix for this problem is not officially > >>> released by Apache. I see applying a patch is able to eliminate > >>> this problem. The bugfix is ready for download at > >>> svn.apache.org. The vulnerability is also documented in the > >>> databases at X-Force (102131) and SecurityTracker (ID > >>> 1032079). > >>> > >>> From seclists.org, I heard this problem was identified as a > >>> partial DoS > >>>> > >>> (non persistent, but you can very easily eat up all server ram) > >>> and assigned CVE-2014-0230 and then the person handling it left > >>> Red Hat and it didn't get processed properly. > >>> > >>> Can you please tell me, is there any official fix for this > >>> problem available and from where I can download the official > >>> fix for this CVE ? When will Apache tomcat site have a newer > >>> version of Apache tomcat with this CVE fixed ? > >>> > >>> > >> Hi. I believe that you should first read this : > >> http://tomcat.apache.org/security.html at least the first > >> section, to get a general idea. > >> > >> Do not forget that Tomcat is an open-source, free software, that > >> the people developing it and maintaining it do this on a > >> voluntary base, and that their time is limited. Other > >> organisations set it as their task to provide their own versions > >> of Tomcat packages, and to guarantee that they are "patched" to > >> the latest known security vulnerabilities. And they (rightly) > >> charge a fee for that work. > >> > >> That does not mean that the developers of Apache Tomcat do not > >> take security vulnerabilities seriously, and do not do their best > >> to fix them as quickly as possible. But it does mean that there > >> is not necessarily always a released version of Tomcat available > >> on the official website, with patches for the latest > >> vulnerabilities. > >> > >> So, probably the best you can do is : 1) look in the page above > >> (Lists of security problems fixed in released versions of Apache > >> Tomcat are available:) for your version of Tomcat, and uprade to > >> a version indicated there if appropriate 2) otherwise, make > >> pressure on your Tomcat package provider (whom you presumably pay > >> for that), to provide the patch you need > >> > >> > >> > >> --------------------------------------------------------------------- > >> > >> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > >> > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJVSg0+AAoJEBzwKT+lPKRYwIsP/iJC8N+UvRD7Gto80qz77R+O > oEiCxBuf3l4XKC7OGWMh+wkzDjEZIuFgNeEY3uqUFfOtDs0eKYDeqpBNvCB2Cayi > UwGIHa0xTWZ2Fn05SIv/b7g6bgHZ+qSCBxLWq4bcLEeWXwOZNmEBUruLL7RiwszQ > m+MHZMxCDAXLs7+P2R/4pQlPCyy6QDspHLhcHXhWBHMK9BuqQuJfwtnVdpVUKJtu > SUAhYB3VE+iBlL6a9onCR1FoV+sTlw2ZkQB2EVe22OhrkpKDPDzgtiMl19Z7Q2lN > tZo9t/COIHTCtwUE2jkg7Zc7YhcsZgULIsdMrDsy71nlPoz0shD/Sa15UEb7IrC8 > K7lIHBtzPCn/SXNSG2a7kqxXKVBNdWj9Wkv9+gcAaEgg682c10y4ATc9koAyBMya > +QsXJkpcumt5MRr9rBFJE86+/bewOIODQ/xLILETFKPLYqqZiW+0mISSa6P+ePeP > XGF9Z2hyEHZ08EC+vl8kAKLGsQYuRNvUhADuqhBwCknBrKdP55gQPU2+OP0x2uU8 > mB7n85ZlhZqTGNrAlsyCU/9MYo2vkyOOgr/MfCksM6EJpUzrF4jgGbK7eNLPKIyj > jaFSbcSPJEBHGzJc97sfkqwO4MjMVngkxP3nTxZ8Q19rQnWkZ0AMDfqMKo/hICAt > Qec5dQmz5a0wLtx3tlhd > =ysTD > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
